UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

JMX authentication must be secured.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222963 TCAT-AS-000610 SV-222963r557518_rule Medium
Description
Java Management Extensions (JMX) provides the means to remotely manage the Java VM. When enabling the JMX agent for remote monitoring, the user must enable authentication.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2020-09-23

Details

Check Text ( C-24635r426333_chk )
From the Tomcat server run the following command:

sudo grep -I jmxremote.authenticate /etc/systemd/system/tomcat.service
sudo ps -ef |grep -i jmxremote

If the results are blank, this is not a finding.

If the results include:

-Dcom.sun.management.jmxremote.authenticate=false, this is a finding.
Fix Text (F-24624r426334_fix)
If using JMX for management of the Tomcat server, start the Tomcat server by adding the following command line flags to the systemd startup scripts in /etc/systemd/system/tomcat.service.

Environment='CATALINA_OPTS -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true'

sudo systemctl start tomcat
sudo systemctl daemon-reload